Merge pull request #3928 from rvermeulen/java-importable-cwe-113

Java: Move `HeaderSplittingSink` and `WhitelistedSource` into importable library
2025-12-24 04:36:35 +01:00 · 2020-08-05 10:16:00 +02:00
parent 32d9d270fc c2733ad22e
commit 9e78341e43
4 changed files with 53 additions and 41 deletions
--- a/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql
+++ b/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql
@@ -11,7 +11,8 @@
 */

 import java
-import ResponseSplitting
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.security.ResponseSplitting
 import DataFlow::PathGraph

 class ResponseSplittingConfig extends TaintTracking::Configuration {
@@ -19,7 +20,7 @@ class ResponseSplittingConfig extends TaintTracking::Configuration {

  override predicate isSource(DataFlow::Node source) {
    source instanceof RemoteFlowSource and
-    not source instanceof WhitelistedSource
+    not source instanceof SafeHeaderSplittingSource
  }

  override predicate isSink(DataFlow::Node sink) { sink instanceof HeaderSplittingSink }
--- a/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.qll
+++ b/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.qll
@@ -1,38 +0,0 @@
-import java
-import semmle.code.java.frameworks.Servlets
-import semmle.code.java.dataflow.FlowSources
-
-/**
- * Header-splitting sinks. Expressions that end up in an HTTP header.
- */
-class HeaderSplittingSink extends DataFlow::ExprNode {
-  HeaderSplittingSink() {
-    exists(ResponseAddCookieMethod m, MethodAccess ma |
-      ma.getMethod() = m and
-      this.getExpr() = ma.getArgument(0)
-    )
-    or
-    exists(ResponseAddHeaderMethod m, MethodAccess ma |
-      ma.getMethod() = m and
-      this.getExpr() = ma.getAnArgument()
-    )
-    or
-    exists(ResponseSetHeaderMethod m, MethodAccess ma |
-      ma.getMethod() = m and
-      this.getExpr() = ma.getAnArgument()
-    )
-    or
-    exists(JaxRsResponseBuilder builder, Method m |
-      m = builder.getAMethod() and m.getName() = "header"
-    |
-      this.getExpr() = m.getAReference().getArgument(1)
-    )
-  }
-}
-
-class WhitelistedSource extends DataFlow::ExprNode {
-  WhitelistedSource() {
-    this.asExpr().(MethodAccess).getMethod() instanceof HttpServletRequestGetHeaderMethod or
-    this.asExpr().(MethodAccess).getMethod() instanceof CookieGetNameMethod
-  }
-}
--- a/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql
@@ -12,7 +12,7 @@

 import java
 import semmle.code.java.dataflow.FlowSources
-import ResponseSplitting
+import semmle.code.java.security.ResponseSplitting
 import DataFlow::PathGraph

 class ResponseSplittingLocalConfig extends TaintTracking::Configuration {